News

New Amazon Order Confirmation Emails Could Be Phishing Attempts

Posted by nstsystems On January 11th, 2019

According to Alexa, Amazon is the 4th most visited website in the United States and ranks 8th worldwide. To say that it gets a lot of traffic every day would be an understatement, which is why a newly discovered phishing campaign pretending to come from Amazon is so disturbing.

Although Amazon sees heavy traffic every day of the year, things get especially frenzied during the holidays as shoppers flock to the company's website to buy Christmas presents for friends and family. Scammers know this and seek to take advantage of unwary shoppers, thus the genesis of their latest campaign. The security firm EdgeWave has been monitoring the development of the campaign.

Scammers are sending out well-crafted, sophisticated emails that appear to come from Amazon, featuring subject lines designed to draw the attention of online shoppers, such as "Your Amazon.com Order" Or "Your Amazon Order (order number) has shipped."

Naturally, if you've purchased something from Amazon, you'll be inclined to open the email to get more information. You'll then be presented with something that appears to be a legitimate order confirmation, although lacking in any specific details about the product.

In lieu of that, the scammers have placed an 'Order Details' button in the email, inviting users to click for additional information. Unfortunately, clicking the link downloads a word document onto the user's device. If the user tries to open it, they'll get a message that says they need to enable content in order for the message to be properly displayed.

What this does in actuality though, is enable macros, which hackers and scammers have been using for years to inject malicious code onto PCs around the world, and sure enough, that's exactly what happens in this case.

EdgeWave researchers have tested the poisoned document and discovered that as the download begins, what is apparently being downloaded is a file called 'keyandsymbol.exe'. However, embedded in the code, they found references to mergedboost.exe.

By now, most people know better than to click links or open files, even when they seem to come from a trusted source. This latest campaign underscores the importance of ongoing education and friendly, periodic reminders.